Wondering how to prevent JavaScript from stealing session cookie? Major browsers got the answer: just add HttpOnly to cookie to protect it from malicious JavaScript code. Full details are available at MSDN.

Since this option is well-supported (AFAIK MSIE, Mozilla/Firefox/Gecko and Konqueror support it) it’s unclear why PHP doesn’t support it yet. I’ve written a patch to add HttpOnly support to PHP. After applying the patch, add this string to your php.ini: